Hi ,

Quick Question :

Can someone explain the Impact of Active directory security policies on Packaging process .

Do we need to consider the role of Active directory during Packaging activity .

Kindly suggest any good articles on the same .

Cheers ,
0 Comments   [ + ] Show Comments


Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.


The only thing to really consider is how you want to setup the policy for your installs.

If you set up the installs on a per computer basis, no user specific settings will be installed (ie HKCU, profile specific files, etc.). Instead they will be applied to the all user profile.

If you set up the installs per user, then your user specific settings are installed.

So if you plan on installing all apps per computer, so that applications are available to anyone that logs onto a certain machine, then some tweaking to your MSI's will be necessary. (There's a number of good posts on this site regarding installing MSI's per computer, then using the self-healing property to set userspecific setings.)

If you plan on installing all apps per user, so that applications will be installed on any machine a user logs in to, then no modification is usually necessary.
Answered 04/28/2005 by: Bladerun
Green Belt

Please log in to comment
I don't think AD has much impact on packaging an app. It may change how you want to deliver the application, but probably not packaging.
Answered 04/28/2005 by: Thaiboxer
Orange Belt

Please log in to comment
Thanks for reply .
Yes we are installing all applications per machine .

Few more questions with regards to the topic of discussion :

1) What about packaging applications which install unsigned drivers ?
Which one of following is a better option :
1) Try repackaging the unsigned driver
2) Changing GPO settings for allowing unsigned drivers

2) Are there any cases experienced when repackaged MSI works without AD but gives unexpected results when installed using AD + GPO ?

Cheers ,
Answered 04/28/2005 by: viv_bhatt1
Senior Purple Belt

Please log in to comment
I recently had a problem with a piece of software produced by AMBest. It installed fine when run normally, yet when I tried to create a package in policy for it, it wouldn't import it.

I ran a validation on it and found ICE errors all over the place. With much help from the good people here I was able to fix all the issues & eliminate all the ICE errors, and I could then create the policy without issue.
Answered 04/28/2005 by: Bladerun
Green Belt

Please log in to comment
HI ,

Thanks could you please elaborate more on the type of error (cause mainly) and may be the resolution for it .

I am doing an Impact analysis for my current project . I want to understand if I can use this as yet another concern .

Really appreciate your suggestions .

Cheers ,
Answered 04/28/2005 by: viv_bhatt1
Senior Purple Belt

Please log in to comment

For group policies, there are certain settings that affect how packages deploy. have a look at:


And you'll see they are:

Enables the Browse button on the Use feature from dialog box, even when an installation is running with system permissions.

Allows users to install programs from removable media, such as floppy disks and CD-ROMs, during installations running with system permissions. Installations offered on the desktop or displayed in Add/Remove Programs run with system permissions.

Permits all users to install patches, even when an installation program is running with elevated system permissions.


Directs Windows Installer to use system permissions when it installs a program. By default, Windows Installer uses the user's permissions to install programs.

Disables the Browse button beside the Use feature from list in the Windows Installer dialog box. By default, the Browse button is disabled only when users who are not administrators are using system permissions to install a program.

Disables or restricts the use of Windows Installer. This entry can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator.

Prevents users from using Windows Installer to install patches.

Prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.

Allows Terminal Services administrators to install and configure programs remotely.

Permits users to change installation options that typically are available only to system administrators.

Specifies the types of events that Windows Installer records in its transaction log. The log, Msi.log, appears in the Temp directory of the system volume.


Allows Web-based programs to install software on the computer without notifying the user.

Saves copies of transform files in a secure location on the local computer, instead of in the user's profile.

Hope that helps

Answered 04/28/2005 by: plangton
Second Degree Blue Belt

Please log in to comment
Thanks Paul ,

Really appreciate your help .

This has given me a good start .

I have found out that sometimes GPO settings have to be changed inorder to be ableto install applications which install unsigned device drivers .

I still haven't got a definite way to avoid this .

Answered 04/29/2005 by: viv_bhatt1
Senior Purple Belt

Please log in to comment
Answer this question or Comment on this question for clarity